On 5/11/2011 3:04 a.m., Markus Nilsson wrote:
Hi!I'm having some trouble with kerberos (negotiate) authentication and the Proxy-Authorization header. Currently I am using digest, and it's working fine. I allow most request in squid, but am using a url_rewriter to check if the user really has permission to access a specific site. This way I can let some users, without logging in, access some sites, but require proxy_auth access for other. To achieve this I protect one single page (redirector) with http_access allow authenticated_users redirector This way I can forward all requests which are blocked by the url_rewrite_program to a splash-page, with a link to this blocked page, and by doing that force a proxy login. This works very well, and makes it easy for the end users. It has the side effect though that Squid does not extract the username, and hence the url_rewrite_program will not get the username. I have solved this with a helper that extracts this information from the Proxy-Authorization header: #Extracts username from HTTP-header external_acl_type username ttl=3600 %{Proxy-Authorization} /usr/bin/extract_username_from_proxy_header acl username external username This helper returns OK user=username or OK if no username is found. With this I will opportunistically get a username if it is provided through the Proxy-Authorization header. And by the rule below, I can see in the logs that the username is extracted correctly http_access allow all !redirector username Now to my problem; when adding kerberos authentication, I can't seem to find the Proxy-Authorization header on more than the request to the redirector acl, and when I analyze in firebug, I can't see that it is continuously sent by the browser. Is the negotiate authentication scheme different in this way than digest (and plain)? Or am I doing something wrong here...? Plain and Digest sends their Proxy-Authorization headers on all request after a successful login, even if squid does not require them to do so. Thanks for any input! Kind Regards Markus
HTTP requires auth credentials on every request. BUT, Kerberos and NTLM are a bit special and try to violate HTTP in many ways. They are not authenticating the request itself like they should be. But are authenticating the TCP connection using the first request(s) over it. The good browsers send the Kerberos/NTLM credentials on followup requests anyway, but some agents are broken and prefer to break HTTP instead of following the rules for good performance.
Amos
